The present invention relates to the field of software and, in particular, to methods and systems for a comprehensive security model for managing active content downloaded from a computer network.
In recent years, there has been a tremendous proliferation of computers connected to a global computer network known as the Internet. A xe2x80x9cclientxe2x80x9d computer connected to the Internet can download digital information from xe2x80x9cserverxe2x80x9d computers connected to the Internet. Client application and operating system software executing on client computers typically accept commands from a user and obtain data and services by sending requests to server applications running on server computers connected to the Internet. A number of protocols are used to exchange commands and data between computers connected to the Internet. The protocols include the File Transfer Protocol (FTP), the HyperText Transfer Protocol (HTTP), the Simple Mail Transfer Protocol (SMTP), and the xe2x80x9cGopherxe2x80x9d document protocol.
The HTTP protocol is used to access data on the World Wide Web, often referred to as xe2x80x9cthe Web.xe2x80x9d The World Wide Web is an area within the Internet that stores HTML documents. The World Wide Web is made up of numerous Web sites around the world that maintain and distribute Web documents. A Web site may use one or more Web server computers that are able to store and distribute documents in one of a number of formats including the HyperText Markup Language (HTML). An HTML document can contain text, graphics, audio clips, and video clips, as well as metadata or commands providing formatting information. HTML documents also include embedded xe2x80x9clinksxe2x80x9d that reference other data or documents located on the local computer or network server computers.
A Web browser is a client application, software component, or operating system utility that communicates with server computers via standardized protocols such as HTTP, FTP and Gopher. Web browsers receive documents from the computer network and present them to a user. Microsoft Internet Explorer, available from Microsoft Corporation, of Redmond, Wash. is an example of a popular Web browser.
An intranet is a local area network containing servers and client computers operating in a manner similar to the World Wide Web described above. Additionally, a Web browser on an intranet can retrieve files from a file system server executing on the same computer as the Web browser, or on a remote computer on the local area network. A Web browser can retrieve files on the local area network using the xe2x80x9cFILExe2x80x9d protocol, which comprises file system commands. Typically, all of the computers on an intranet are contained within a company or organization. Many intranets have a xe2x80x9cfirewallxe2x80x9d that functions as a gateway between the intranet and the Internet, and prevents outside people from breaking into the computers of an organization. A xe2x80x9cproxy serverxe2x80x9d is one well-known portion of a firewall.
In addition to data and metadata (data about data), HTML documents can contain embedded software components containing program code that perform a wide variety of operations on the host computer to which the document is downloaded. These software components expand the interactive ability of an HTML document and can perform other operations, such as manipulating data and playing audio or video clips. ActiveX is a specification developed by Microsoft Corporation for creating software components that can be embedded into an HTML document. Java is a well-known programming language that can be used to develop small computer applications called xe2x80x9cappletsxe2x80x9d and standalone software components called xe2x80x9cclassesxe2x80x9d which are transmitted with HTML documents when they are downloaded from Web servers to client computers. JavaScript and VBScript are scripting languages that are also used to extend the capabilities of HTML. JavaScript and VBScript scripts are embedded in HTUL documents. A browser executes each script as it reaches the position in the script during interpretation of the HTML document.
Some software components transferred over the World Wide Web perform operations that are not desired by a user. This may occur either because a component developer intentionally programmed the software component to maliciously perform a harmful operation, or because an unintentional xe2x80x9cbugxe2x80x9d in the software causes the component to perform a harmful operation. In addition to components that are transferred with an HTML document or by the HTTP protocol, files transferred to a client computer utilizing other protocols, such as FTP, may include commands that perform harmful operations.
One way in which browsers have addressed the security problem presented by potentially harmful software components is to notify the user prior to performing a potentially harmful operation while the software component is running on the host system. The user is permitted to determine, prior to each operation, whether to allow the specified operation. For example, prior to installing a Java class, a browser may display a dialog window specifying the source of the Java class and allowing the user to decide whether or not to install the specified class. Similarly, the browser may present a dialog window to the user prior to downloading a file, executing a program, or executing a script. This security procedure can result in a user repeatedly being presented with dialog windows asking for permission to perform certain operations, interrupting the user""s browsing session. Faced with frequent interruptions as the software component runs, a user may respond hastily and improperly.
It is desirable to have a mechanism that allows the fine-grained administration of the permissions given to a software component, or other active content, that is downloaded from a computer network to a host system. Preferably, the mechanism would automatically administer the decision to grant or deny permissions to the downloaded active content to perform certain protected operations on the host system. The mechanism would preferably administer permissions in zones by comparing a requested set of permissions that the active content requires to run with a set of permissions that has been pre-configured in a manner that reflects the risk that active content downloaded from that zone may be harmful to the host system. Additionally, it would be advantageous if the mechanism processed the permissions required by the active content without having to run the active content and that then to stored any granted permissions with the active content so that the permission comparison need only be conducted when the active content is first downloaded. The mechanism would also preferably be able to automatically compare many different types of permissions that may defined by a wide range of expressions. Further, a preferable mechanism would provide sets of predetermined security settings that represent varying levels of trust level that can be associated with a zone, or that provides a way for the user to configure the permission sets down to a very xe2x80x9cfine-grainedxe2x80x9d level. The present invention is directed to providing such a mechanism.
In accordance with this invention, a system and a computer-based method of providing security when downloading foreign active content from a computer network is disclosed. Foreign active content is untrusted code that may attempt to run on a host system. The method includes configuring a system security policy to establish multiple security zones, each security zone corresponding to a set of locations on a computer network. Each zone has a corresponding security configuration that specifies the actions to be taken when a protected operation is requested by active content downloaded from that security zone. During a Web browsing session, the mechanism of the invention determines the security zone corresponding to the network location currently being browsed. Prior to performing a protected operation, the mechanism of the invention determines the action to perform, based on the current Web site""s security zone, the requested operation, and the security setting corresponding to the requested operation and the Web site""s zone. The Web browser displays visual information indicating the security zone corresponding to a server computer when a Web document from the server computer is being displayed.
In accordance with other aspects of this invention, during a browsing session between a client computer and a server computer, when a document is received at the client computer the browser determines if the document wishes to perform any protected operations on the client computer. If the document requires access to a protected operation, the browser determines a security setting corresponding to the zone from which the document was retrieved. Depending on the configuration of the protected operation within the security zone, the browser may perform the protected operation, prevent the performance of the protected operation, or query a user whether to perform the protected operation and selectively perform the protected operation based on the user response.
In accordance with other aspects of this invention, the client computer may be located behind a firewall, and receive active content from server computers behind the firewall and remote server computers external to, or outside of, the firewall. The browser may be configured so that one security zone does not include any server computers that are external to the firewall and so that another security zone includes only server computers that are behind the firewall. Preferably, the browser is configured so that the security zone corresponding to the server computers external to the firewall specifies a higher level of security than the security zone corresponding to server computers protected by the firewall.
In accordance with the invention, the system security policy is comprised of a number of security zones that each have an associated zone security configuration that is enforced by a security manager application on the user""s computer system. Each security zone is associated with one or more server computers that are grouped into the security zone according to the likelihood that the server computers within that security zone may contain harmful active content. The user may utilize one or more predefined security zones, configure custom security zones, or do nothing and accept a default set of predefined security zones.
In accordance with other aspects of the invention, each security zone has an associated zone security policy. The user may select one of a number of predefined zone security policies, configure a custom zone security policy, or do nothing and accept a default zone security policy for the security zone. In an actual embodiment of the invention, the predefined zone security policies define levels of security that that represent xe2x80x9chighxe2x80x9d security (most secure), xe2x80x9cmediumxe2x80x9d security (more secure), and a xe2x80x9clowxe2x80x9d security (least secure). The custom security policy permits the user to customize the zone security policy to a level defined by the user""s configuration of the same security components that make up the predefined xe2x80x9chighxe2x80x9d, xe2x80x9cmediumxe2x80x9d, and xe2x80x9clowxe2x80x9d pre-configured security policy options.
In accordance with further aspects of the invention, configuration of the system security policy may include the configuration of progressively xe2x80x9cfiner grainxe2x80x9d steps or levels. The xe2x80x9ccoarsest grainxe2x80x9d level is the configuration of one or more security zones. Each security zone has a set of configurable protected operations that can be configured. For some protected operations that regulate active content, one or more sets of permissions can be configured. Permission sets can be configured for different contexts, for instance, different permission sets can be configured for active content that is digitally signed and for active content that is not digitally signed. Each permission set can have a number of permissions and each of the permissions may have a set of parameters. At the xe2x80x9cfinest grainxe2x80x9d of configuration, the parameters can be configured using one or more primitives.
In accordance with the present invention, at the protected operations configuration level, the user may specify whether a protected operation is allowed (enabled), is not allowed (disabled), or if the user should be prompted to determine the action that should be taken. For some protected operations, it is desirable to specify a xe2x80x9cfiner grainxe2x80x9d configuration of the actions that are available to the protected operation when it is simply xe2x80x9cenabled.xe2x80x9d The right to perform an action on a host system requested by a subject of a protected operation is called a permission. The configuration of the permissions available to a protected operation, at the permission configuration level, is a level xe2x80x9cdownxe2x80x9d in the configuration of the custom zone security policy. The user may specify at the permission configuration level those permissions that define a protected operation. The permission can be granted to the protected operation (enabled), denied to the protected operation (disabled) or the user prompted for instructions when the permission is required.
In addition to configuring protected operations within security zones, the permissions that define protected operations may be configured for the context of the active content that requests the privileged operations. For instance, the user could configure the permission to be enabled when the protected operation is requested by xe2x80x9csignedxe2x80x9d active content, and disabled when the protected operation is requested by xe2x80x9cunsignedxe2x80x9d active content. For example, in an actual embodiment of the invention, the administration of permissions available to Java applets and classes is a protected operation. The user may enable or disable individual permissions for Java applets and classes in permission sets that are applied depending on the context of the active content within a zone. A permission may be configured differently in different permission sets within the same security zone. For instance, a signed applet may request access to all files on the host system. In accordance with the invention, the access all files permission may be configured in one permission set to enable the access of all files when the applet is signed and configured differently in a second permission set to disable the access to all files permission when the applet is unsigned.
In accordance with further aspects of the invention, the capabilities of each permission may be defined by a set of xe2x80x9cparametersxe2x80x9d that can be configured at a parameter configuration level. In contrast to the configuration of the permissions at the permissions configuration level (a level xe2x80x9cupxe2x80x9d) where all the capabilities of the permission are enabled, disabled, or set to require a prompt of the user, the configuration of the parameters at the parameter configuration level allows for the xe2x80x9cfine grainedxe2x80x9d configuration of each permission. For instance, in an actual embodiment of the invention, the File I/O permission determines whether a Java applet can perform file operations on the user""s computer. The File I/O permission includes parameters that determine if the File I/O permission has the right to read, write or delete files on the host computer. Parameters are defined using a number of primitive types. In accordance with the invention, a primitive is an expression that can represent values like xe2x80x9c5xe2x80x9d, xe2x80x9ctruexe2x80x9d, xe2x80x9c*.docxe2x80x9d, include/exclude pairs and arrays of these types.
In accordance with the present invention, permissions for active content are grouped in one or more user permission sets that are stored in a system registry and associated with a security zone. Each security zone may have a number of differently-defined permission sets that are associated with active content having different attributes from within the same security zone. For example, in an actual embodiment of the invention, each security zone has three associated user permission sets that are stored with the zone configuration policy in the system registry: a trusted signed permission set, an untrusted signed permission set, and an unsigned permission set. If the retrieved active content is unsigned (has not been digitally signed) then the unsigned active content is granted a set of permissions corresponding to the unsigned permission set associated with the zone from which the active content was retrieved. If the retrieved active content is signed (has been digitally signed) then the present invention uses the trusted signed permission set and the untrusted signed permission set associated with the security zone from which the active content was downloaded to determine the permissions that will be granted to the active content, denied to the active content, or for which the user will be queried before the permission is granted.
In accordance with further aspects of the invention, the publisher of active content such as Java applets, classes or scripts, may externally attach a list of permissions to the active content that specifies the permissions the active content requires in order to run on the host computer. The list of permissions, or xe2x80x9crequested permission set,xe2x80x9d is prepared by the publisher of the active content and preferably specifies the most restrictive set of permissions within which the active content can run. The present invention allows the publisher to specify each permission down to the parameter configuration level.
In accordance with another aspect of the invention, the publisher attaches the requested permission set to the outside of the active content so that the user computer does not have to run the active content in order to discover the permissions that the active content requires in order to run on the host system. The requested permission set may be included in a signed code package that also contains the computer executable instructions and other files associated with the active content. Requested permission sets may also be signed using a catalog file. A catalog file contains a manifest of hash values for other files such as cabinet files, class files, requested permissions initialization files, etc. The manifest is digitally signed, thereby authenticating the files listed in the manifest if the hash value in the manifest is equal to the newly calculated hash value of the file when it is downloaded. When the signed code package is downloaded to the user""s computer, the present invention authenticates the identity of the publisher and verifies that the contents of the signed code package is identical to the information that was in the signed code package when it was signed. If the active content has not been digitally signed, the active content is granted only those permissions contained in the unsigned permission set.
If the active content has been signed, the identity of the publisher and the integrity of the downloaded signed code package are verified by the present invention. If this verification succeeds, the requested permission set is extracted from the signed code package or catalog file and then compared to the user""s permission sets associated with the security zone that the signed code package was downloaded from. In an actual embodiment of the invention, the requested permission set from the signed code package is compared to the trusted signed permission set. If the requested permission set contains a subset of the permissions configured in the trusted signed permission set, the permissions requested in the requested permission set are granted and associated with the active content. If the requested permission set includes permissions, or parameters within permissions, that exceed those specified in the trusted signed permission set, the permissions in the requested permission set are compared to the untrusted signed permission set. The untrusted signed permission set may be either a deny set or a query set depending on the value of a Query/Deny flag associated with the untrusted signed permission set. If the untrusted signed permission set is a deny set and the untrusted signed permission set contains (intersects) any permissions, or parameters within permissions, that are within the requested permission set, the requested permission set is automatically denied and the active content is not run. If the untrusted signed permission set is flagged as a query set, the requested permissions must be a subset of the query set before the requested set will be granted. Any permission that is not in the query set is assumed to be in the denied set. Therefore, if the requested set is not a subset of the query set, there is at least one permission that is in the deny set and the requested set is rejected.
In accordance with further aspects of the invention, a requested permission set is automatically compared to a user permission set by the mechanism of the invention to determine if the permissions requested in the requested permission set exceed the permissions defined in the user permission set. The method and system of the invention first determines if there are any permissions in the requested permission set that are not in the user permission set. If the permission is in the requested set and not in the permissions allowed by the user (the user permission set), the requested set is not automatically granted. If the permission is in the requested set and in the denied set then the content is not run. Next, corresponding permissions in the requested permission set and the user permission set are compared to each other. When the permissions compare themselves to each other, they compare parameter to corresponding parameter. To compare a parameter to a corresponding parameter, each primitive that defines a parameter in the requested permission set is compared to a primitive that defines a parameter in the user permission set.
Comparing the requested permission set to the user permission set involves comparing zero or more permissions in the requested permission set to zero or more corresponding permissions in the user permission set. Each permission may have one or more parameters that specify the capabilities of the permission. Each parameter may have one or more primitives that define the parameter. The method and system of the present invention automates these progressive comparisons in a manner that produces a directional result of each comparison and maintains the direction of the result. These results are successively merged to produce a directional comparison result that can be used in later decisions to determine an action to take. For example, when comparing a requested permission set to a user permission set, it is important to be able to determine if the requested permission set is a SUBSET of the user permission set or alternatively, if the user permission set is a SUBSET of the requested permission set. In this example, it is apparent that it is important to keep track of directional nature of the comparison result because in the former case it may be appropriate to grant the permission, while in the latter case it may not be appropriate to grant the permission.
In accordance with the invention, the direction of set comparison results is maintained while the results of many comparisons that may occur on many different levels are combined to produce a cumulative directional set result. In other words, a requested permission set compares to a user permission set, which requires that requested permissions compare to user permissions, which requires that a requested permission""s parameters compare with a user""s permission""s parameters, which requires that the primitives that define a requested permission""s parameter compare to a user""s permission""s primitives. Each comparison results in an answer that must be combined with the answers from all other comparisons in a manner that yields a meaningful combined answer that preserves the direction of the comparison in a directional result.
In an actual embodiment of the present invention, the comparison of a primitive to a primitive produces a cumulative directional primitive result. The cumulative directional primitive result of each parameter is then combined to produce a cumulative directional parameter result. The cumulative directional parameter result of each parameter is then combined to produce a cumulative directional permission result. Finally, the cumulative directional permission result of each permission is combined to produce a cumulative directional permission set result. Because the present invention performs the comparison and accumulates the results in a manner that maintains the direction of the comparison, the cumulative directional result may be used at any level to describe the directional results of all previous comparisons to that level.
In an actual embodiment of the invention, the cumulative directional permission set result is used to determine if the permissions in a user permission set should be granted, denied, or the user should be prompted for a choice of whether to grant or deny the permissions as a set. The present invention is not limited to this implementation, however. For instance, the cumulative permission result could be used to determine if an individual permission should be granted, denied, or the user prompted for the proper action. Other decisions could be based on the cumulative directional result at xe2x80x9clower levelsxe2x80x9d of the accumulation.
As will be readily appreciated from the foregoing description, a system and method of providing security when downloading active content formed in accordance with the invention provides a way of selectively restricting protective operations that can be performed by active content retrieved from a computer network, such that the restrictions may vary according to the level of trust that a user has for each security zone. The invention allows the user to configure a browser to a fine grain administration of privileges allowed to active content so that the different security zones and different contexts within those security zones reflect different levels of trust for each corresponding group of network locations. Default security settings corresponding to each security zone protected operation, permission and parameter among the security zones simplifies the process of configuring the browser. Allowing a user to modify the default settings provides users with customizable security to allow for differing situations or concerns. The invention miniizes the amount of disruption that may occur during a browsing session in order to determine the user""s preferences. By allowing a user to configure the security settings at a time convenient to the user, the invention increases the likelihood that the user will carefully consider the choices involved in security configurations. The ability to customize the security of the host system to a fine grain level also permits more sophisticated users, such as system administrators, to tailor the security of browsers under the administrator""s control to the specific security requirements of an organization.